A few questions for security pros

I try to keep security in mind, but by no means am I a security expert. I'm curious how you all would handle these situations

1) My company recently switched to Office 365 and plans to use only OneDrive for external file sharing. One that decision was made, we blocked all other file-sharing services. However, lot of my employees receive external files from Dropbox, FilesAnywhere and WeTransfer, so now I've been needed to make a bunch of exceptions to the firewall rules for these people. There's been a request to allow download only access to these services. Do you feel allowing the ability to download files from these places is a big security risk? Should they remain blocked?

2) Kind of related to #1, but today for these exceptions, we have to manually update the firewall rules to add the user-id to the allow list. In my opinion, this would be much more efficient to add an active directory group to the firewall rule, that way only the group needs to be updated. The downside is, how to ensure that AD admins aren't temporarily adding and removing users without our permissions? Is there a way to real-time audit or logging AD group changes ? If so, is it built-in or do I need a third party? I think AD group membership auditing is useful for more than just firewalls. I think today, they will look at membership quarterly, but what good is that if a user was added to the HR share 1 day and then removed? It would never be caught

Find more posts tagged with

Comments

gespenstern

1. If you try to insist on stringent rules that hurt business, you'll end up with demotivated salesmen and struggling business. Business comes first before security, sorry security engineers! I say, download should be okay, but worth devising a plan, if it's not a permanent business need, to get rid of download access to non-approved cloud storage providers in X number of months with appropriate business line leadership.

2. Absolutely you should go with ADDS security groups, no individual accounts. These events (group membership change) get generated by ADDS on domain controllers, just make sure you 1) audit them 2) they get sent to your SIEM for search/preservation 3) you can configure either SIEM or other tool to produce alerts when important group memberships (domain admins, enterprise admins etc) change.

A typical catch here though is firewalls usually don't know users/groups, they know IPs, and there should be a solution in place that tracks user to IP affinity and all of them (besides endpoint agent based, which is limited to supported operating systems) aren't 100% robust.

mnashe

gespenstern wrote: »

1. If you try to insist on stringent rules that hurt business, you'll end up with demotivated salesmen and struggling business. Business comes first before security, sorry security engineers! I say, download should be okay, but worth devising a plan, if it's not a permanent business need, to get rid of download access to non-approved cloud storage providers in X number of months with appropriate business line leadership.

2. Absolutely you should go with ADDS security groups, no individual accounts. These events (group membership change) get generated by ADDS on domain controllers, just make sure you 1) audit them 2) they get sent to your SIEM for search/preservation 3) you can configure either SIEM or other tool to produce alerts when important group memberships (domain admins, enterprise admins etc) change.

A typical catch here though is firewalls usually don't know users/groups, they know IPs, and there should be a solution in place that tracks user to IP affinity and all of them (besides endpoint agent based, which is limited to supported operating systems) aren't 100% robust.

Thank you for reply. I'm one of the ones that agree download access should be fine. The need for receiving these files is not going to stop. I'm all for blocking upload access, as I don't believe we should let employees send our data where ever they want. I asked this question to see if I was being naive for wanting to allow download access

My firewall does recognize groups, but what I'm unfamiliar with is how to audit ADDS security groups? Is that a setting on the domain controller, or do I need to purchase a third party that can audit the security group membership changes?

We don't currently have a SIEM. Any suggested tools?

gespenstern

mnashe wrote: »

Thank you for reply. I'm one of the ones that agree download access should be fine. The need for receiving these files is not going to stop. I'm all for blocking upload access, as I don't believe we should let employees send our data where ever they want. I asked this question to see if I was being naive for wanting to allow download access

My firewall does recognize groups, but what I'm unfamiliar with is how to audit ADDS security groups? Is that a setting on the domain controller, or do I need to purchase a third party that can audit the security group membership changes?

We don't currently have a SIEM. Any suggested tools?

These are type of questions you can easily find plenty of answers already put. Check with www.ultimatewindowssecurity.com on appropriate events and I believe that they had a webcast addressing this specific topic.

Or play yourself if you are a learner through practice -- add/remove yourself from a group and check windows security event log on domain controllers what events get generated by default, play with settings in GP dictating what needs to be audited and what not, etc.

You can get started with free Splunk edition.

mnashe

thanks for the link

UnixGuy

If you don't want employees to send data wherever they want, then having everything go to OneDrive is one way, but a DLP solution need to be implemented (not that it will provide 100% protection).

Also same goes with regard to downloading, strong AV on all layers is in place...but yeah the right way as gespenstern pointed out is to see your policy whether there is a business need for this or not

kriscamaro68

You could always use Powershell to audit the groups. write-up a basic script that does a get-adgroupmember and then emails you or whomever the results of said script and have it run daily or even hourly if you want.

mnashe wrote: »

My firewall does recognize groups, but what I'm unfamiliar with is how to audit ADDS security groups? Is that a setting on the domain controller, or do I need to purchase a third party that can audit the security group membership changes?